<!DOCTYPE html>
<html lang="en">

<head>
  <meta http-equiv="Content-type" content="text/html; charset=utf-8">
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title>Snyk test report</title>
  <meta name="description" content="34 known vulnerabilities found in 79 vulnerable dependency paths.">
  <base target="_blank">
  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
    sizes="194x194">
  <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico">
  <style type="text/css">
  
    body {
      -moz-font-feature-settings: "pnum";
      -webkit-font-feature-settings: "pnum";
      font-variant-numeric: proportional-nums;
      display: flex;
      flex-direction: column;
      font-feature-settings: "pnum";
      font-size: 100%;
      line-height: 1.5;
      min-height: 100vh;
      -webkit-text-size-adjust: 100%;
      margin: 0;
      padding: 0;
      background-color: #F5F5F5;
      font-family: 'Arial', 'Helvetica', Calibri, sans-serif;
    }
  
    h1,
    h2,
    h3,
    h4,
    h5,
    h6 {
      font-weight: 500;
    }
  
    a,
    a:link,
    a:visited {
      border-bottom: 1px solid #4b45a9;
      text-decoration: none;
      color: #4b45a9;
    }
  
    a:hover,
    a:focus,
    a:active {
      border-bottom: 1px solid #4b45a9;
    }
  
    hr {
      border: none;
      margin: 1em 0;
      border-top: 1px solid #c5c5c5;
    }
  
    ul {
      padding: 0 1em;
      margin: 1em 0;
    }
  
    code {
      background-color: #EEE;
      color: #333;
      padding: 0.25em 0.5em;
      border-radius: 0.25em;
    }
  
    pre {
      background-color: #333;
      font-family: monospace;
      padding: 0.5em 1em 0.75em;
      border-radius: 0.25em;
      font-size: 14px;
    }
  
    pre code {
      padding: 0;
      background-color: transparent;
      color: #fff;
    }
  
    a code {
      border-radius: .125rem .125rem 0 0;
      padding-bottom: 0;
      color: #4b45a9;
    }
  
    a[href^="http://"]:after,
    a[href^="https://"]:after {
      background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E");
      background-repeat: no-repeat;
      background-size: .75rem;
      content: "";
      display: inline-block;
      height: .75rem;
      margin-left: .25rem;
      width: .75rem;
    }
  
  
  /* Layout */
  
    [class*=layout-container] {
      margin: 0 auto;
      max-width: 71.25em;
      padding: 1.9em 1.3em;
      position: relative;
    }
    .layout-container--short {
      padding-top: 0;
      padding-bottom: 0;
      max-width: 48.75em;
    }
  
    .layout-container--short:after {
      display: block;
      content: "";
      clear: both;
    }
  
  /* Header */
  
    .header {
      padding-bottom: 1px;
    }
  
    .paths {
      margin-left: 8px;
    }
    .header-wrap {
      display: flex;
      flex-direction: row;
      justify-content: space-between;
      padding-top: 2em;
    }
    .project__header {
      background-color: #030328;
      color: #fff;
      margin-bottom: -1px;
      padding-top: 1em;
      padding-bottom: 0.25em;
      border-bottom: 2px solid #BBB;
    }
  
    .project__header__title {
      overflow-wrap: break-word;
      word-wrap: break-word;
      word-break: break-all;
      margin-bottom: .1em;
      margin-top: 0;
    }
  
    .timestamp {
      float: right;
      clear: none;
      margin-bottom: 0;
    }
  
    .meta-counts {
      clear: both;
      display: block;
      flex-wrap: wrap;
      justify-content: space-between;
      margin: 0 0 1.5em;
      color: #fff;
      clear: both;
      font-size: 1.1em;
    }
  
    .meta-count {
      display: block;
      flex-basis: 100%;
      margin: 0 1em 1em 0;
      float: left;
      padding-right: 1em;
      border-right: 2px solid #fff;
    }
  
    .meta-count:last-child {
      border-right: 0;
      padding-right: 0;
      margin-right: 0;
    }
  
  /* Card */
  
    .card {
      background-color: #fff;
      border: 1px solid #c5c5c5;
      border-radius: .25rem;
      margin: 0 0 2em 0;
      position: relative;
      min-height: 40px;
      padding: 1.5em;
    }
  
    .card__labels {
      position: absolute;
      top: 1.1em;
      left: 0;
      display: flex;
      align-items: center;
      gap: 8px;
    }
  
    .card .label {
      background-color: #767676;
      border: 2px solid #767676;
      color: white;
      padding: 0.25rem 0.75rem;
      font-size: 0.875rem;
      text-transform: uppercase;
      display: inline-block;
      margin: 0;
      border-radius: 0.25rem;
    }
  
    .card .label__text {
      vertical-align: text-top;
        font-weight: bold;
    }
  
    .card .label--critical {
      background-color: #AB1A1A;
      border-color: #AB1A1A;
    }
  
    .card .label--high {
      background-color: #CE5019;
      border-color: #CE5019;
    }
  
    .card .label--medium {
      background-color: #D68000;
      border-color: #D68000;
    }
  
    .card .label--low {
      background-color: #88879E;
      border-color: #88879E;
    }
  
    .severity--low {
      border-color: #88879E;
    }
  
    .severity--medium {
      border-color: #D68000;
    }
  
    .severity--high {
      border-color: #CE5019;
    }
  
    .severity--critical {
      border-color: #AB1A1A;
    }
  
    .card--vuln {
      padding-top: 4em;
    }
  
    .card--vuln .card__labels > .label:first-child {
      padding-left: 1.9em;
      padding-right: 1.9em;
      border-radius: 0 0.25rem 0.25rem 0;
    }
  
    .card--vuln .card__section h2 {
      font-size: 22px;
      margin-bottom: 0.5em;
    }
  
    .card--vuln .card__section p {
      margin: 0 0 0.5em 0;
    }
  
    .card--vuln .card__meta {
      padding: 0 0 0 1em;
      margin: 0;
      font-size: 1.1em;
    }
  
    .card .card__meta__paths {
      font-size: 0.9em;
    }
  
    .card--vuln .card__title {
      font-size: 28px;
      margin-top: 0;
      margin-right: 100px; /* Ensure space for the risk score */
    }
  
    .card--vuln .card__cta p {
      margin: 0;
      text-align: right;
    }
  
    .risk-score-display {
      position: absolute;
      top: 1.5em;
      right: 1.5em;
      text-align: right;
      z-index: 10;
    }
  
    .risk-score-display__label {
      font-size: 0.7em;
      font-weight: bold;
      color: #586069;
      text-transform: uppercase;
      line-height: 1;
      margin-bottom: 3px;
    }
  
    .risk-score-display__value {
      font-size: 1.9em;
      font-weight: 600;
      color: #24292e;
      line-height: 1;
    }
  
    .source-panel {
      clear: both;
      display: flex;
      justify-content: flex-start;
      flex-direction: column;
      align-items: flex-start;
      padding: 0.5em 0;
      width: fit-content;
    }
  
  
  
  </style>
  <style type="text/css">
    .metatable {
      text-size-adjust: 100%;
      -webkit-font-smoothing: antialiased;
      -webkit-box-direction: normal;
      color: inherit;
      font-feature-settings: "pnum";
      box-sizing: border-box;
      background: transparent;
      border: 0;
      font: inherit;
      font-size: 100%;
      margin: 0;
      outline: none;
      padding: 0;
      text-align: left;
      text-decoration: none;
      vertical-align: baseline;
      z-index: auto;
      margin-top: 12px;
      border-collapse: collapse;
      border-spacing: 0;
      font-variant-numeric: tabular-nums;
      max-width: 51.75em;
    }
  
    tbody {
      text-size-adjust: 100%;
      -webkit-font-smoothing: antialiased;
      -webkit-box-direction: normal;
      color: inherit;
      font-feature-settings: "pnum";
      border-collapse: collapse;
      border-spacing: 0;
      box-sizing: border-box;
      background: transparent;
      border: 0;
      font: inherit;
      font-size: 100%;
      margin: 0;
      outline: none;
      padding: 0;
      text-align: left;
      text-decoration: none;
      vertical-align: baseline;
      z-index: auto;
      display: flex;
      flex-wrap: wrap;
    }
  
    .meta-row {
      text-size-adjust: 100%;
      -webkit-font-smoothing: antialiased;
      -webkit-box-direction: normal;
      color: inherit;
      font-feature-settings: "pnum";
      border-collapse: collapse;
      border-spacing: 0;
      box-sizing: border-box;
      background: transparent;
      border: 0;
      font: inherit;
      font-size: 100%;
      outline: none;
      text-align: left;
      text-decoration: none;
      vertical-align: baseline;
      z-index: auto;
      display: flex;
      align-items: start;
      border-top: 1px solid #d3d3d9;
      padding: 8px 0 0 0;
      border-bottom: none;
      margin: 8px;
      width: 47.75%;
    }
  
    .meta-row-label {
      text-size-adjust: 100%;
      -webkit-font-smoothing: antialiased;
      -webkit-box-direction: normal;
      font-feature-settings: "pnum";
      border-collapse: collapse;
      border-spacing: 0;
      color: #4c4a73;
      box-sizing: border-box;
      background: transparent;
      border: 0;
      font: inherit;
      margin: 0;
      outline: none;
      text-decoration: none;
      z-index: auto;
      align-self: start;
      flex: 1;
      font-size: 1rem;
      line-height: 1.5rem;
      padding: 0;
      text-align: left;
      vertical-align: top;
      text-transform: none;
      letter-spacing: 0;
    }
  
    .meta-row-value {
      text-size-adjust: 100%;
      -webkit-font-smoothing: antialiased;
      -webkit-box-direction: normal;
      color: inherit;
      font-feature-settings: "pnum";
      border-collapse: collapse;
      border-spacing: 0;
      word-break: break-word;
      box-sizing: border-box;
      background: transparent;
      border: 0;
      font: inherit;
      font-size: 100%;
      margin: 0;
      outline: none;
      padding: 0;
      text-align: right;
      text-decoration: none;
      vertical-align: baseline;
      z-index: auto;
    }
  </style>
</head>

<body class="section-projects">
  <main class="layout-stacked">
        <div class="layout-stacked__header header">
          <header class="project__header">
            <div class="layout-container">
              <a class="brand" href="https://snyk.io" title="Snyk">
                <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img">
                  <title>Snyk - Open Source Security</title>
                  <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
                    <g fill="#fff">
                      <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path>
                    </g>
                  </g>
                </svg>
              </a>
              <div class="header-wrap">
                  <h1 class="project__header__title">Snyk test report</h1>
    
                <p class="timestamp">September 28th 2025, 12:30:52 am (UTC+00:00)</p>
              </div>
              <div class="source-panel">
                <span>Scanned the following paths:</span>
                <ul>
                  <li class="paths">ghcr.io/dexidp/dex:v2.41.1/dexidp/dex (apk)</li>
                  <li class="paths">ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)</li>
                  <li class="paths">ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)</li>
                  <li class="paths">ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/dex (gomodules)</li>
                </ul>
              </div>
    
              <div class="meta-counts">
                <div class="meta-count"><span>34</span> <span>known vulnerabilities</span></div>
                <div class="meta-count"><span>79 vulnerable dependency paths</span></div>
                <div class="meta-count"><span>969</span> <span>dependencies</span></div>
              </div><!-- .meta-counts -->
            </div><!-- .layout-container--short -->
          </header><!-- .project__header -->
        </div><!-- .layout-stacked__header -->

    <div class="layout-container" style="padding-top: 35px;">
      <div class="cards--vuln filter--patch filter--ignore">
        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--critical">
                        <span class="label__text">critical severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            golang.org/x/crypto/ssh
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/crypto/ssh@v0.24.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
        <li><a href="https://github.com/NHAS/CVE-2024-45337-POC">PoC</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Access of Resource Using Incompatible Type (&#x27;Type Confusion&#x27;)</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--high">
                        <span class="label__text">high severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Package Manager: alpine:3.20
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            openssl/libcrypto3
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em>
        <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p>
        <p>Issue summary: Applications performing certificate name checks (e.g., TLS
        clients checking server certificates) may attempt to read an invalid memory
        address resulting in abnormal termination of the application process.</p>
        <p>Impact summary: Abnormal termination of an application can a cause a denial of
        service.</p>
        <p>Applications performing certificate name checks (e.g., TLS clients checking
        server certificates) may attempt to read an invalid memory address when
        comparing the expected name with an <code>otherName</code> subject alternative name of an
        X.509 certificate. This may result in an exception that terminates the
        application program.</p>
        <p>Note that basic certificate chain validation (signatures, dates, ...) is not
        affected, the denial of service can occur only when the application also
        specifies an expected DNS name, Email address or IP address.</p>
        <p>TLS servers rarely solicit client certificates, and even when they do, they
        generally don&#39;t perform a name check against a reference identifier (expected
        identity), but rather extract the presented identity after checking the
        certificate chain.  So TLS servers are generally not affected and the severity
        of the issue is Moderate.</p>
        <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f">https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6">https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2">https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0">https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0</a></li>
        <li><a href="https://openssl-library.org/news/secadv/20240903.txt">https://openssl-library.org/news/secadv/20240903.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/09/03/4">http://www.openwall.com/lists/oss-security/2024/09/03/4</a></li>
        <li><a href="https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html">https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html</a></li>
        <li><a href="https://security.netapp.com/advisory/ntap-20240912-0001/">https://security.netapp.com/advisory/ntap-20240912-0001/</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-7895537">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--high">
                        <span class="label__text">high severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            golang.org/x/oauth2/jws
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.21.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/oauth2/jws@v0.21.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/oauth2/jws@v0.21.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>golang.org/x/oauth2/jws</code> to version 0.27.0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/golang/oauth2/commit/681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3">GitHub Commit</a></li>
        <li><a href="https://github.com/lestrrat-go/jwx/commit/d0bb4610154d45b7dce7d706a8068ea72586d249">GitHub Commit</a></li>
        <li><a href="https://github.com/golang/go/issues/71490">GitHub Issue</a></li>
        <li><a href="https://github.com/lestrrat-go/jwx/pull/1308">GitHub PR</a></li>
        <li><a href="https://pkg.go.dev/vuln/GO-2025-3488">Go Advisory</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Server-side Request Forgery (SSRF)</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--high">
                        <span class="label__text">high severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            golang.org/x/net/http/httpproxy
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.26.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/net/http/httpproxy@v0.26.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/net/http/httpproxy@v0.27.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p><a href="https://pkg.go.dev/golang.org/x/net/http/httpproxy">golang.org/x/net/http/httpproxy</a> is a package for HTTP proxy determination based on environment variables, as provided by net/http&#39;s ProxyFromEnvironment function</p>
        <p>Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in <code>proxy.go</code>, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like <code>*.example.com</code> could be matched to a request intended for <code>[::1%25.example.com]:80</code>.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>golang.org/x/net/http/httpproxy</code> to version 0.36.0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://go-review.googlesource.com/c/go/+/654717/4/src/vendor/golang.org/x/net/http/httpproxy/proxy.go">Git Commit</a></li>
        <li><a href="https://github.com/golang/go/commit/3705a6f1f0a66e70916bb09f50f4fcd1c520df53">GitHub Commit</a></li>
        <li><a href="https://github.com/golang/net/commit/76f9bf3279eff2e596db4960a78a2665d0ff9405">GitHub Commit</a></li>
        <li><a href="https://github.com/golang/go/issues/71984">GitHub Issue</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTPHTTPPROXY-9058601">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Denial of Service (DoS)</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--high">
                        <span class="label__text">high severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            golang.org/x/net/html
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/dexidp/dex@* and golang.org/x/net/html@v0.27.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/net/html@v0.27.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p><a href="https://pkg.go.dev/golang.org/x/net/html">golang.org/x/net/html</a> is a package that implements an HTML5-compliant tokenizer and parser.</p>
        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the functions <code>parseDoctype</code>, <code>htmlIntegrationPoint</code>, <code>inBodyIM</code> and <code>inTableIM</code>  due to inefficient usage of the method <code>strings.ToLower</code> combining with the <code>==</code> operator to convert strings to lowercase and then comparing them.</p>
        <p>An attacker can cause the application to slow down significantly by crafting inputs that are processed non-linearly.</p>
        <h2 id="details">Details</h2>
        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
        <p>Two common types of DoS vulnerabilities:</p>
        <ul>
        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
        </li>
        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
        </li>
        </ul>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>golang.org/x/net/html</code> to version 0.33.0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/golang/net/commit/8e66b04771e35c4e4125e8c60334b34e2423effb">GitHub Commit</a></li>
        <li><a href="https://github.com/golang/go/issues/70906">GitHub Issue</a></li>
        <li><a href="https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ">Google Groups Forum</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-8535262">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Improper Handling of Unexpected Data Type</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--high">
                        <span class="label__text">high severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            golang.org/x/crypto/ssh/agent
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.24.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/crypto/ssh/agent@v0.24.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p>Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including <code>List()</code> and <code>SignWithFlags()</code> process <code>*successAgentMsg</code>. This can be triggered by a malicious agent sending a single <code>0x06</code> byte (<code>SSH_AGENT_SUCCESS</code>), which is unmarshalled into a <code>*successAgentMsg</code>, causing a panic and client crash.</p>
        <h2 id="details">Details</h2>
        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
        <p>Two common types of DoS vulnerabilities:</p>
        <ul>
        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
        </li>
        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
        </li>
        </ul>
        <h2 id="remediation">Remediation</h2>
        <p>A fix was pushed into the <code>master</code> branch but not yet published.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/golang/crypto/commit/559e062ce8bfd6a39925294620b50906ca2a6f95">GitHub Commit</a></li>
        <li><a href="https://github.com/golang/go/issues/75178">GitHub Issue</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSHAGENT-12668891">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--high">
                        <span class="label__text">high severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            golang.org/x/crypto/ssh
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/crypto/ssh@v0.24.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
        <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in <code>handshakeTransport</code> in <code>handshake.go</code>. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a <code>SSH_MSG_KEXINIT</code>. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.35.0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://go.dev/cl/652135">Git Commit</a></li>
        <li><a href="https://go.dev/issue/71931">Go Issue</a></li>
        <li><a href="https://pkg.go.dev/vuln/GO-2025-3487">Vulnerability Advisory</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8747056">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
            <h2 class="card__title">Asymmetric Resource Consumption (Amplification)</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--high">
                        <span class="label__text">high severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            github.com/golang-jwt/jwt/v5
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/golang-jwt/jwt/v5@v5.2.1
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p>Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the <code>parse.ParseUnverified</code> function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the <code>Authorization</code> header.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>github.com/golang-jwt/jwt/v5</code> to version 5.2.2 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3">GitHub Commit</a></li>
        <li><a href="https://github.com/golang-jwt/jwt/releases/tag/v4.5.2">GitHub Release 4.5.2</a></li>
        <li><a href="https://github.com/golang-jwt/jwt/releases/tag/v5.2.2">GitHub Release 5.2.2</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOLANGJWTJWTV5-9510922">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Insertion of Sensitive Information into Log File</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            google.golang.org/grpc/metadata
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and google.golang.org/grpc/metadata@v1.64.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        google.golang.org/grpc/metadata@v1.64.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p><a href="https://pkg.go.dev/github.com/grpc/grpc-go/metadata">google.golang.org/grpc/metadata</a> is a package that defines the structure of the metadata supported by the gRPC library</p>
        <p>Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of gRPC metadata. If the metadata contains sensitive information an attacker can expose it.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>google.golang.org/grpc/metadata</code> to version 1.64.1 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/grpc/grpc-go/commit/ab292411ddc0f3b7a7786754d1fe05264c3021eb">GitHub Commit</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPCMETADATA-7430177">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Improper Validation of Syntactic Correctness of Input</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            golang.org/x/net/html
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/dexidp/dex@* and golang.org/x/net/html@v0.27.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        golang.org/x/net/html@v0.27.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p><a href="https://pkg.go.dev/golang.org/x/net/html">golang.org/x/net/html</a> is a package that implements an HTML5-compliant tokenizer and parser.</p>
        <p>Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the tokenizer in <code>token.go</code>, which incorrectly interprets tags as closing tags, allowing malicious input to be incorrectly processed and the DOM to be corrupted.</p>
        <h2 id="details">Details</h2>
        <p>Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.</p>
        <p>This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML)  in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.</p>
        <p>Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.</p>
        <p>Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, <code>&lt;</code> can be coded as  <code>&amp;lt</code>; and <code>&gt;</code> can be coded as <code>&amp;gt</code>; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses <code>&lt;</code> and <code>&gt;</code> as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.</p>
        <p>The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. </p>
        <h3 id="types-of-attacks">Types of attacks</h3>
        <p>There are a few methods by which XSS can be manipulated:</p>
        <table>
        <thead>
        <tr>
        <th>Type</th>
        <th>Origin</th>
        <th>Description</th>
        </tr>
        </thead>
        <tbody><tr>
        <td><strong>Stored</strong></td>
        <td>Server</td>
        <td>The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.</td>
        </tr>
        <tr>
        <td><strong>Reflected</strong></td>
        <td>Server</td>
        <td>The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.</td>
        </tr>
        <tr>
        <td><strong>DOM-based</strong></td>
        <td>Client</td>
        <td>The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.</td>
        </tr>
        <tr>
        <td><strong>Mutated</strong></td>
        <td></td>
        <td>The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.</td>
        </tr>
        </tbody></table>
        <h3 id="affected-environments">Affected environments</h3>
        <p>The following environments are susceptible to an XSS attack:</p>
        <ul>
        <li>Web servers</li>
        <li>Application servers</li>
        <li>Web application environments</li>
        </ul>
        <h3 id="how-to-prevent">How to prevent</h3>
        <p>This section describes the top best practices designed to specifically protect your code: </p>
        <ul>
        <li>Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. </li>
        <li>Convert special characters such as <code>?</code>, <code>&amp;</code>, <code>/</code>, <code>&lt;</code>, <code>&gt;</code> and spaces to their respective HTML or URL encoded equivalents. </li>
        <li>Give users the option to disable client-side scripts.</li>
        <li>Redirect invalid requests.</li>
        <li>Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.</li>
        <li>Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.</li>
        <li>Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.</li>
        </ul>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>golang.org/x/net/html</code> to version 0.38.0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9">GitHub Commit</a></li>
        <li><a href="https://github.com/golang/go/issues/73070">GitHub Issue</a></li>
        <li><a href="https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA">Google Groups Announcement</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTML-9572088">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/vault/api
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.14.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/vault/api@v1.14.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:vault:api:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/serf/coordinate
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.1
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/serf/coordinate@v0.10.1
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:serf:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/hcl/v2
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2@v2.13.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2/gohcl@v2.13.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2/hclparse@v2.13.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2/hclwrite@v2.13.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/v2/json@v2.13.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/hcl
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl@v1.0.0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/hcl/hcl/token@v1.0.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:hcl:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/golang-lru/simplelru
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/golang-lru/simplelru@v1.0.2
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:golang-lru:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-uuid
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-uuid@v1.0.3
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-uuid:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-sockaddr
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.6
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-sockaddr@v1.0.6
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-sockaddr/template@v1.0.6
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-sockaddr:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-secure-stdlib/strutil
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:strutil:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-secure-stdlib/parseutil
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:parseutil:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-secure-stdlib/awsutil
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-secure-stdlib:awsutil:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-rootcerts
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-rootcerts@v1.0.2
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-rootcerts:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-retryablehttp
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-retryablehttp@v0.7.7
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-multierror
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-multierror@v1.1.1
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-immutable-radix
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-immutable-radix@v1.3.1
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-immutable-radix:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/go-cleanhttp
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/go-cleanhttp@v0.5.2
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/errwrap
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/errwrap@v1.1.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/hashicorp/consul/api
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/consul/api@v1.29.1
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/hashicorp/consul/api@v1.29.1
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:consul:api:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/gosimple/slug
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.14.0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/gosimple/slug@v1.14.0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">MPL-2.0 license</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex <span class="list-paths__item__arrow">›</span> /usr/local/bin/dex
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Module:
        
                            github.com/go-sql-driver/mysql
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.8.1
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/go-sql-driver/mysql@v1.8.1
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <p>MPL-2.0 license</p>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:go-sql-driver:mysql:MPL-2.0">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
            <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--medium">
                        <span class="label__text">medium severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
                    </li>
                    <li class="card__meta__item">
                        Package Manager: golang
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            github.com/go-jose/go-jose/v4
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/hairyhenderson/gomplate/v4@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/go-jose/go-jose/v4@v4.0.2
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        github.com/dexidp/dex@*
                                         <span class="list-paths__item__arrow">›</span> 
                                        github.com/go-jose/go-jose/v4@v4.0.4
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="overview">Overview</h2>
        <p>Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of <code>strings.Split</code> to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of <code>.</code> characters. </p>
        <h2 id="workaround">Workaround</h2>
        <p>This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of <code>.</code> characters.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>github.com/go-jose/go-jose/v4</code> to version 4.0.5 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22">GitHub Commit</a></li>
        <li><a href="https://github.com/go-jose/go-jose/releases/tag/v4.0.5">GitHub Release</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOJOSEGOJOSEV4-8745975">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
            <h2 class="card__title">CVE-2024-9143</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--low">
                        <span class="label__text">low severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Package Manager: alpine:3.20
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            openssl/libcrypto3
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em>
        <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p>
        <p>Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted
        explicit values for the field polynomial can lead to out-of-bounds memory reads
        or writes.</p>
        <p>Impact summary: Out of bound memory writes can lead to an application crash or
        even a possibility of a remote code execution, however, in all the protocols
        involving Elliptic Curve Cryptography that we&#39;re aware of, either only &#34;named
        curves&#34; are supported, or, if explicit curve parameters are supported, they
        specify an X9.62 encoding of binary (GF(2^m)) curves that can&#39;t represent
        problematic input values. Thus the likelihood of existence of a vulnerable
        application is low.</p>
        <p>In particular, the X9.62 encoding is used for ECC keys in X.509 certificates,
        so problematic inputs cannot occur in the context of processing X.509
        certificates.  Any problematic use-cases would have to be using an &#34;exotic&#34;
        curve encoding.</p>
        <p>The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),
        and various supporting BN_GF2m_*() functions.</p>
        <p>Applications working with &#34;exotic&#34; explicit binary (GF(2^m)) curve parameters,
        that make it possible to represent invalid field polynomials with a zero
        constant term, via the above or similar APIs, may terminate abruptly as a
        result of reading or writing outside of array bounds.  Remote code execution
        cannot easily be ruled out.</p>
        <p>The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r3 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712">https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700">https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4">https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154">https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154</a></li>
        <li><a href="https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a">https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a</a></li>
        <li><a href="https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41">https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41</a></li>
        <li><a href="https://openssl-library.org/news/secadv/20241016.txt">https://openssl-library.org/news/secadv/20241016.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/10/16/1">http://www.openwall.com/lists/oss-security/2024/10/16/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/10/23/1">http://www.openwall.com/lists/oss-security/2024/10/23/1</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2024/10/24/1">http://www.openwall.com/lists/oss-security/2024/10/24/1</a></li>
        <li><a href="https://security.netapp.com/advisory/ntap-20241101-0001/">https://security.netapp.com/advisory/ntap-20241101-0001/</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
            <h2 class="card__title">CVE-2024-13176</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--low">
                        <span class="label__text">low severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Package Manager: alpine:3.20
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            openssl/libcrypto3
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em>
        <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p>
        <p>Issue summary: A timing side-channel which could potentially allow recovering
        the private key exists in the ECDSA signature computation.</p>
        <p>Impact summary: A timing side-channel in ECDSA signature computations
        could allow recovering the private key by an attacker. However, measuring
        the timing would require either local access to the signing application or
        a very fast network connection with low latency.</p>
        <p>There is a timing signal of around 300 nanoseconds when the top word of
        the inverted ECDSA nonce value is zero. This can happen with significant
        probability only for some of the supported elliptic curves. In particular
        the NIST P-521 curve is affected. To be able to measure this leak, the attacker
        process must either be located in the same physical computer or must
        have a very fast network connection with low latency. For that reason
        the severity of this vulnerability is Low.</p>
        <p>The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.2-r2 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844">https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467">https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902">https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65">https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f">https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f</a></li>
        <li><a href="https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded">https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded</a></li>
        <li><a href="https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86">https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86</a></li>
        <li><a href="https://openssl-library.org/news/secadv/20250120.txt">https://openssl-library.org/news/secadv/20250120.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/01/20/2">http://www.openwall.com/lists/oss-security/2025/01/20/2</a></li>
        <li><a href="https://security.netapp.com/advisory/ntap-20250124-0005/">https://security.netapp.com/advisory/ntap-20250124-0005/</a></li>
        <li><a href="https://security.netapp.com/advisory/ntap-20250418-0010/">https://security.netapp.com/advisory/ntap-20250418-0010/</a></li>
        <li><a href="https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html">https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8690013">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
            <h2 class="card__title">CVE-2024-12797</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--low">
                        <span class="label__text">low severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Package Manager: alpine:3.20
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            openssl/libcrypto3
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em>
        <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p>
        <p>Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
        server may fail to notice that the server was not authenticated, because
        handshakes don&#39;t abort as expected when the SSL_VERIFY_PEER verification mode
        is set.</p>
        <p>Impact summary: TLS and DTLS connections using raw public keys may be
        vulnerable to man-in-middle attacks when server authentication failure is not
        detected by clients.</p>
        <p>RPKs are disabled by default in both TLS clients and TLS servers.  The issue
        only arises when TLS clients explicitly enable RPK use by the server, and the
        server, likewise, enables sending of an RPK instead of an X.509 certificate
        chain.  The affected clients are those that then rely on the handshake to
        fail when the server&#39;s RPK fails to match one of the expected public keys,
        by setting the verification mode to SSL_VERIFY_PEER.</p>
        <p>Clients that enable server-side raw public keys can still find out that raw
        public key verification failed by calling SSL_get_verify_result(), and those
        that do, and take appropriate action, are not affected.  This issue was
        introduced in the initial implementation of RPK support in OpenSSL 3.2.</p>
        <p>The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>Alpine:3.20</code> <code>openssl</code> to version 3.3.3-r0 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9">https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7">https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7</a></li>
        <li><a href="https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699">https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699</a></li>
        <li><a href="https://openssl-library.org/news/secadv/20250211.txt">https://openssl-library.org/news/secadv/20250211.txt</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/11/3">http://www.openwall.com/lists/oss-security/2025/02/11/3</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/11/4">http://www.openwall.com/lists/oss-security/2025/02/11/4</a></li>
        <li><a href="https://security.netapp.com/advisory/ntap-20250214-0001/">https://security.netapp.com/advisory/ntap-20250214-0001/</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8710359">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
            <h2 class="card__title">CVE-2025-26519</h2>
            <div class="card__section">
        
                <div class="card__labels">
                    <div class="label label--low">
                        <span class="label__text">low severity</span>
                    </div>
                </div>
        
                <hr/>
        
                <ul class="card__meta">
                    <li class="card__meta__item">
                        Package Manager: alpine:3.20
                    </li>
                    <li class="card__meta__item">
                            Vulnerable module:
        
                            musl/musl
                    </li>
        
                    <li class="card__meta__item">Introduced through:
        
                                docker-image|ghcr.io/dexidp/dex@v2.41.1 and musl/musl@1.2.5-r0
        
                    </li>
                </ul>
        
                <hr/>
        
        
                        <h3 class="card__section__title">Detailed paths</h3>
        
                    <ul class="card__meta__paths">
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/ssl_client@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl-utils@1.2.5-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libcrypto3@3.3.1-r3
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        openssl/libssl3@3.3.1-r3
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        apk-tools/apk-tools@2.14.4-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        zlib/zlib@1.3.1-r1
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl-utils@1.2.5-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        pax-utils/scanelf@1.3.7-r2
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        alpine-baselayout/alpine-baselayout@3.6.5-r0
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/busybox-binsh@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        busybox/busybox@1.36.1-r29
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl@1.2.5-r0
                                        
                                </span>
        
                            </li>
                                <li>
                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                        docker-image|ghcr.io/dexidp/dex@v2.41.1
                                         <span class="list-paths__item__arrow">›</span> 
                                        musl/musl-utils@1.2.5-r0
                                        
                                </span>
        
                            </li>
                    </ul><!-- .list-paths -->
        
            </div><!-- .card__section -->
        
              <hr/>
              <!-- Overview -->
              <h2 id="nvd-description">NVD Description</h2>
        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>musl</code> package and not the <code>musl</code> package as distributed by <code>Alpine</code>.</em>
        <em>See <code>How to fix?</code> for <code>Alpine:3.20</code> relevant fixed versions and status.</em></p>
        <p>musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.</p>
        <h2 id="remediation">Remediation</h2>
        <p>Upgrade <code>Alpine:3.20</code> <code>musl</code> to version 1.2.5-r1 or higher.</p>
        <h2 id="references">References</h2>
        <ul>
        <li><a href="https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da">https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da</a></li>
        <li><a href="https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659">https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659</a></li>
        <li><a href="https://www.openwall.com/lists/oss-security/2025/02/13/2">https://www.openwall.com/lists/oss-security/2025/02/13/2</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/2">http://www.openwall.com/lists/oss-security/2025/02/13/2</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/3">http://www.openwall.com/lists/oss-security/2025/02/13/3</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/4">http://www.openwall.com/lists/oss-security/2025/02/13/4</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/13/5">http://www.openwall.com/lists/oss-security/2025/02/13/5</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/14/5">http://www.openwall.com/lists/oss-security/2025/02/14/5</a></li>
        <li><a href="http://www.openwall.com/lists/oss-security/2025/02/14/6">http://www.openwall.com/lists/oss-security/2025/02/14/6</a></li>
        </ul>
        
              <hr/>
        
            <div class="cta card__cta">
                <p><a href="https://snyk.io/vuln/SNYK-ALPINE320-MUSL-8720638">More about this vulnerability</a></p>
            </div>
        
        </div><!-- .card -->
      </div><!-- cards -->
    </div>
  </main><!-- .layout-stacked__content -->
</body>

</html>
